Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Unified Threat Investigation Use Case

  1. Last updated
  2. Save as PDF
Limited Availability: To access the User UID feature, contact Skyhigh Support or your account manager for assistance. 

Skyhigh enables you to use the User UID filter to identify and investigate incidents, activities, threats, and anomalies associated with a specific user across Sanctioned, Shadow, and Web services. Security Operations Center (SOC) administrators can leverage the User UID filter for a unified and streamlined approach to threat investigation by correlating incidents, activities, threats, and anomalies across Sanctioned, Shadow, and Web services. It enables them to conduct in-depth forensics of policy violations, respond to potential threats quickly, and mitigate security risks efficiently. 

Use Case: Suppose you investigate high-risk incidents and discover that a user has uploaded a sensitive file to Microsoft Office 365/OneDrive. You can use the User UID filter to determine whether the same file was uploaded to other Sanctioned, Shadow, or Web services, and by which users. To achieve this use case, the SOC admin can use the User UID filter on the relevant Policy Incidents and Activities cloud cards.

Follow these steps to achieve the use case: 

  1. On the Policy Incidents (Incidents > Policy Incidents) page:
    1. Select a high-risk DLP incident from the Incidents table to open its cloud card. For example, select a Sanctioned DLP incident for a file named Customer sensitive info.docx. 
      1. On the DLP Incident cloud card, click the filter next to User UID.
        You can now view all DLP incidents triggered by the specific user across Sanctioned, Shadow, and Web services in the Incidents table.
    2. From the Incidents table, select a different type of DLP incident with the same file name. For example, select a Shadow/Web DLP incident for the Customer sensitive info.docx file. 
      1. On the DLP Incident cloud card, click User Name to view the User Details cloud card. 
      2. On the User Details cloud card, click Activities.
  2. On the Activities page:
    1. Select File Upload for the Top Activity Types filter. 
      You can now view all file upload activities performed by the specific user across Sanctioned, Shadow, and Web services in the Activities table.
    2. From the Activities table, select a file upload activity.
      1. On the Activities cloud card, click the filter next to User UID, and click the filter next to File Name. (For example, click the filter next to the Customer sensitive info.docx. file name). 
    3. Remove the User UID filter from the omnibar. 
      You can now view all users who uploaded the same file to Sanctioned, Shadow, and Web services in the Activities table.
    4. Remove the Top Activity Type filter from the omnibar, and select the User Risk Type filter as High. 
      You can now view all activities performed by high-risk users involving the same file across sanctioned, shadow, and Web services in the Activities table.
    5. From the Activities table, select an activity performed by another high-risk user.
      1. On the Activities cloud card, click User Name to view the User Details cloud card for the other high-risk user. 
      2. On the User Details cloud card, click Threats.
        You can now view all threats associated with the other high-risk user across Sanctioned, Shadow, and Web services in the Threats table.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.